Code Injection in protobuf.js - #VU126312

 

Code Injection in protobuf.js - #VU126312

Published: April 16, 2026


Vulnerability identifier: #VU126312
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: protobuf.js
Affected software:
protobuf.js

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to code injection in protobuf definition compilation when processing attacker-controlled protobuf definitions during object decoding. A remote user can inject arbitrary code into the "type" fields of protobuf definitions to execute arbitrary code.

Exploitation requires control over the protobuf definition files used by the application.


Remediation

Install security update from vendor's website.

Sources